Full Report
Federal prosecutors accuse Cameron Wagenius of searching how to defect to Russia days after he tried to sell stolen data to a foreign intelligence service. The post Army soldier linked to Snowflake attack spree allegedly tried to sell data to foreign spies appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Cameron Wagenius (Insider Threat/Cybercriminal)
## Attribution & Identity
* **Primary Identity:** Cameron Wagenius, a 21-year-old U.S. Army soldier.
* **Known Aliases:** `kiperphant0m` and `cyb3rph4nt0m` (used on online criminal forums).
* **Associated Groups:** Allegedly linked to an online gang/culture termed "The Com," indicating potential insider threat risks stemming from gang affiliations. Co-conspirators include Connor Moucka and John Binns.
* **Attribution Context:** Although the immediate focus is on an individual insider threat, the activity involves communication with a suspected foreign intelligence service, blurring lines with espionage.
## Activity Summary
Wagenius engaged in illegal activities including attempting to sell stolen sensitive information to a foreign intelligence service and extortion attempts.
* **Extortion Campaign:** Attempted to extort \$500,000 from a major telecommunications company (identified as AT&T) in November by threatening to leak phone records of high-ranking public officials.
* **Data Sales Attempt:** Communicated with an email address believed to belong to a foreign intelligence service in November, attempting to sell stolen data.
* **Precursor Activity:** The records he allegedly possessed were stolen during a prior attack spree targeting up to 165 organizations that stored data on Snowflake. His co-conspirators were indicted for extorting organizations through access to cloud platforms used by AT&T.
* **Flight Risk Indicators:** Searched for "can hacking be treason," and information on fleeing the U.S. and defecting to Russia.
## Tactics, Techniques & Procedures
* **Data Exfiltration/Theft:** Possession of data stolen from victims storing data on Snowflake environments.
* **Extortion:** Direct financial extortion threat against a major telecom provider.
* **Evasion/Obfuscation:** Used VPN software on a newly purchased laptop to hide identity and location while operating from a military barracks (Fort Cavazos, Texas).
* **Insider Access:** Exploited privileged access as a serving Army soldier to obtain sensitive data.
* **Evidence of other crimes:** Authorities seized devices revealing access to thousands of stolen ID documents and large amounts of cryptocurrency.
* **MITRE ATT&CK IDs:** Not explicitly provided in the text, but the activity broadly aligns with **TA0009 (Collection)** and **TA0011 (Command and Control)**, particularly in the context of insider threats.
## Targeting
* **Sectors:** Telecommunications (specifically targeting AT&T).
* **Geography:** Activity originating from the U.S. (Fort Cavazos, Texas), with alleged attempts to engage foreign intelligence services.
* **Victims:** A major telecommunications company (AT&T), and high-ranking public officials (whose phone records were threatened).
## Tools & Infrastructure
* **Malware Families Used:** Not specified.
* **Infrastructure (C2, domains, IPs):**
* Communicated via an email address believed to belong to a foreign intelligence service.
* Used **VPN software** on a new laptop to conceal location.
* Data sources involved compromises of **Snowflake** cloud platforms used by multiple companies.
* Defanged URLs mentioned associated sources: `storage.courtlistener.com/recap/gov.uscourts.wawd.343000/gov.uscourts.wawd.343000.30.0.pdf`, `cyberscoop.com/as-many-as-165-companies-potentially-exposed-in-snowflake-related-attacks-mandiant-says/`, `cyberscoop.com/connor-moucka-snowflake-data-breach-indictment-john-binns/`, `cyberscoop.com/att-data-breach-snowflake/`, `cyberscoop.com/tag/the-com/`
## Implications
This case represents a significant crossover between financially motivated cybercrime and national security threats. The actor's willingness to engage a state-level actor (foreign intelligence service) for financial gain elevates the risk profile beyond standard cyber extortion. The incident highlights the critical danger posed by insider threats within sensitive military or governmental roles, especially when coupled with affiliations to organized cybercriminal "gang culture."
## Mitigations
* Heightened awareness and monitoring for U.S. military personnel conducting suspicious online research related to defection, espionage, or illicit data sales.
* Strict enforcement of orders regarding the use of personal devices (like the new laptop purchased against orders) and unauthorized network access within secure facilities.
* Enhanced monitoring for indicators of insider compromise relating to data sourced from third-party cloud environments like Snowflake.
* Addressing the "historical lack of deterrence" perception among cybercriminals by pursuing significant legal action, as suggested by expert commentary.